Last Updated on August 3, 2025 by Arnav Sharma
Security should always be the topmost concern when working with information and data, especially when working in a cloud-based solution, like Azure DevOps.
Microsoft keeps the underlying cloud infrastructure secure, but it’s up to the end-user to configure security in Azure DevOps.
Here’s a quick checklist. ?
Authentication
Enable Azure AD authentication from the Organization Security Settings
AAD – Enable Conditional Access and Named location to ensure that MFA is enabled and only required locations can be used to access the DevOps.
Disable Public Projects (A public project allows non-members of a project and users who aren’t signed in read-only, limited access to the project’s artifacts and services. )
Project Permissions
Set the project level permissions to Private:
Leverage built-in permissions when possible and limit the access to groups instead of adding users.
In case, when we have a new group or want custom permissions, click on New Group and set the permissions on individual options:
Repository protection
Policies/settings can be managed on the project level or can be managed on the repo level.
For the project level:
Different permissions for users/groups can be controlled using the Setting option and then select group, followed by required permissions:
Branch level policies can be set on project level or on the specific repo, like minimum approval of reviewers for PR:
Additional policies can be set from the same page:
Enable Auditing
Enable Auditing on Org level:
Enabling Auditing will add a new option under General:
And ensure that only limited groups/users have access to delete the audit logs:
More details on DevOps : Azure DevOps documentation | Microsoft Docs